Skip to main content
Skip table of contents

EKS Prerequisites

DKP Prerequisites

Before you begin using DKP, you must have:RIP

Ensure that the KUBECONFIG environment variable is set to the self-managed cluster by running export KUBECONFIG={SELF_MANAGED_AWS_CLUSTER}.conf.

AWS prerequisites

Before you begin using DKP with AWS, you must have:

Minimal User Permissions for Creating EKS Clusters:

The following is a cloudformation stack which adds a policy named eks-bootstrapper to manage EKS cluster to the dkp-bootstrapper-role created by the cloudformation stack in the Minimal Permissions and Role to Create Cluster section. Consult the Leveraging the Role section for an example of how to use this role and how a system administrator wants to expose using the permissions.

YAML 
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  existingBootstrapperRole:
    Type: CommaDelimitedList
    Description: 'Name of existing minimal role you want to add to add EKS cluster management permissions to'
    Default: dkp-bootstrapper-role
Resources:
  EKSMinimumPermissions:
    Properties:
      Description: Minimal user policy to manage eks clusters
      ManagedPolicyName: eks-bootstrapper
      PolicyDocument:
        Statement:
          - Action:
              - 'ssm:GetParameter'
            Effect: Allow
            Resource:
              - 'arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/*'
          - Action:
              - 'iam:CreateServiceLinkedRole'
            Condition:
              StringLike:
                'iam:AWSServiceName': eks.amazonaws.com
            Effect: Allow
            Resource:
              - >-
                arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS
          - Action:
              - 'iam:CreateServiceLinkedRole'
            Condition:
              StringLike:
                'iam:AWSServiceName': eks-nodegroup.amazonaws.com
            Effect: Allow
            Resource:
              - >-
                arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
          - Action:
              - 'iam:CreateServiceLinkedRole'
            Condition:
              StringLike:
                'iam:AWSServiceName': eks-fargate.amazonaws.com
            Effect: Allow
            Resource:
              - >-
                arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate
          - Action:
              - 'iam:GetRole'
              - 'iam:ListAttachedRolePolicies'
            Effect: Allow
            Resource:
              - 'arn:*:iam::*:role/*'
          - Action:
              - 'iam:GetPolicy'
            Effect: Allow
            Resource:
              - 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy'
          - Action:
              - 'eks:DescribeCluster'
              - 'eks:ListClusters'
              - 'eks:CreateCluster'
              - 'eks:TagResource'
              - 'eks:UpdateClusterVersion'
              - 'eks:DeleteCluster'
              - 'eks:UpdateClusterConfig'
              - 'eks:UntagResource'
              - 'eks:UpdateNodegroupVersion'
              - 'eks:DescribeNodegroup'
              - 'eks:DeleteNodegroup'
              - 'eks:UpdateNodegroupConfig'
              - 'eks:CreateNodegroup'
              - 'eks:AssociateEncryptionConfig'
              - 'eks:ListIdentityProviderConfigs'
              - 'eks:AssociateIdentityProviderConfig'
              - 'eks:DescribeIdentityProviderConfig'
              - 'eks:DisassociateIdentityProviderConfig'
            Effect: Allow
            Resource:
              - 'arn:*:eks:*:*:cluster/*'
              - 'arn:*:eks:*:*:nodegroup/*/*/*'
          - Action:
              - 'ec2:AssociateVpcCidrBlock'
              - 'ec2:DisassociateVpcCidrBlock'
              - 'eks:ListAddons'
              - 'eks:CreateAddon'
              - 'eks:DescribeAddonVersions'
              - 'eks:DescribeAddon'
              - 'eks:DeleteAddon'
              - 'eks:UpdateAddon'
              - 'eks:TagResource'
              - 'eks:DescribeFargateProfile'
              - 'eks:CreateFargateProfile'
              - 'eks:DeleteFargateProfile'
            Effect: Allow
            Resource:
              - '*'
          - Action:
              - 'iam:PassRole'
            Condition:
              StringEquals:
                'iam:PassedToService': eks.amazonaws.com
            Effect: Allow
            Resource:
              - '*'
          - Action:
              - 'kms:CreateGrant'
              - 'kms:DescribeKey'
            Condition:
              'ForAnyValue:StringLike':
                'kms:ResourceAliases': alias/cluster-api-provider-aws-*
            Effect: Allow
            Resource:
              - '*'
        Version: 2012-10-17
      Roles: !Ref existingBootstrapperRole
    Type: 'AWS::IAM::ManagedPolicy'

If your role is not named dkp-bootstrapper-role change the parameter on line 6 of the file.

To create the resources in the cloudformation stack copy the contents above into a file and run the following command after replacing MYFILENAME.yaml and MYSTACKNAME with the intended values for your system:

CODE 
aws cloudformation create-stack --template-body=file://MYFILENAME.yaml --stack-name=MYSTACKNAME --capabilities CAPABILITY_NAMED_IAM

Access Cluster

  • Use previously installed aws-iam-authenticator to access your cluster using kubectl. Amazon EKS uses IAM to provide authentication to your Kubernetes cluster.

  • Export the AWS region where you want to deploy the cluster:

    CODE 
    export AWS_REGION=us-west-2

  • Export the AWS profile with the credentials you want to use to create the Kubernetes cluster:

    CODE 
    export AWS_PROFILE=<profile>

    See the AWS site for more information about AWS credentials.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close